Split authentication methods for customers and agents

Return to top
Have more questions? Submit a request

15 Comments

  • Jonathan N'Goran

    We have both SSO enabled for agents and customers. We want to use SAML for our agents and JWT for our customers. If we setup JWT to be the default mechanism, our Azure AD SAML integration is no longer working. When we setup JWT as default, logout url is no longer working for JWT. What should be the proper configuration?
    Thanks,

    0
  • Robin Frerichs

    Hey Jonathan!

    Great question, the trick is to enable both, make the one you want to use for end-users the primary one using the SSO switch that appears when you enable both SAML and JWT, and finally you create a button in your Help Center called "Sign in for agents" that will point to the Login URL for agents :)

    0
  • Martin Meraner

    Hi,

    I do not get the following:

    1. Note:  you will not be able to select different SSO configurations for end-users vs. agents if you select SSO for both.

    We use ADFS, does this mean that I can only have one Relying party definition and that I have to send the role admin/agent/user via ADFS. So all values on both SSO (admin+agent, end user) settings under security have to be the same?

    Best

    Martin

    0
  • Anna Everson

    Hi Martin,

    You can set up SSO with ADFS (see this article if you haven't already) for both agents and end-users, and you can even map custom roles (more on that here.) You don't need to set up multiple relying party trust identifiers, you just need to be able to tell Zendesk which people are agents, either by sending that from ADFS when they log in or having a Zendesk admin set that manually in the agent interface. If you don't want to map roles from ADFS to Zendesk, users who sign in who don't exist yet in Zendesk will be marked end-users. The Zendesk security settings will be the same in this case for both agents and end-users.

    Hopefully I understood your question correctly. You can always send a ticket to support@zendesk.com if you need to talk more about your specific use-case.

    Thanks!

    0
  • Martin Meraner

    Hi, yes that totally explains it. Thanks for the clarification.

    0
  • David Richardson

    We have agents login via Microsoft Office 365, via the I am an Agent link on the regular login. We want to enable SSO/JWT for end users, but when we turn this on, we no longer have access to the I am an Agent link. Is there a direct link to login as an Agent via Office 365 that redirects to the agent's dashboard? As of now we are planning on keeping the Zendesk Auth as a back up to SSO but the backup page https://<ourdomain>.zendesk.com/access/normal, doesn't have the "I am an Agent" link either.

     

    0
  • Brett Bowser
    Zendesk Community Team

    Hey David, 

    Your agents should be able to navigate to subdomain.zendesk.com/agent to navigate to the Support login page for agents.

    Are you experiencing anything different on your end?

    0
  • David Richardson

    Brett,

      That did the trick.  I must have missed that link in the documentation and the one on the login page before implementing SSO was a direct link to MS.

    Thanks,

    David

    0
  • Brett Bowser
    Zendesk Community Team

    Happy to help David :)

    0
  • Frank Rivers

    Great question, the trick is to enable both, make the one you want to use for end-users the primary one using the SSO switch that appears when you enable both SAML and JWT, and finally you create a button in your Help Center called "Sign in for agents" that will point to the Login URL for agents :)

    This does not seem to work. Pointing a link to the SSO login for agents just redirects to the JWT login.

    0
  • Dr. J

    Hey there Frank — for your new link "Sign in for agents" - are you hyperlinking to SUBDOMAIN.zendesk.com/agent ?

    I believe that should redirect to the appropriately specified authentication strategy.  If you're still having trouble, plesae do reach out to our support team, and share the link to the page where you've created the new button, and to where you're hyperlinking?

    Thank you very much! 

    0
  • Frank Rivers

    Dr. J, thanks for responding. 

    I'll just say that with JWT set as Primary, when I put subdomain.zendesk.com/agent in a browser, it automatically goes to the authentication screen for the JWT method. In our case, this is a corporate app for end users. Even when I hit the Azure Application SSO URL directly, ZD still redirects me to the JWT sign-in. 

    The only way to get this working is to change SAML to Primary but when I do that, end users have no way to sign in to the help center via JWT. So something seems broken here.

    0
  • Dr. J

    Hi there Frank! - yep, you're 100% on the mark, as there can only be one default SSO method selected.  If you're seeing that behavior, then it's likely something is a bit amiss.  What I've reccommended to similar users in the past is to have two sign in buttons (if needed), something like:

    • One for customers (that uses the normal SSO redirect strategy)
    • A second, that links directly ot your Azure App SSO URL

    (there may be something in your implementation here, as that shouldn't redirect to us, unless the user is authenticated fully, and you're sending a "return-to" command with authentication.)  My guess, is that the Azure app is returning you to the Help Center as an unauthenticated agent, which then triggers the JWT customer authentication.

    If you authenticate the agent at Azure, and specify an agent dashboard URL (or any desried), it shouldn't catch you in the loop.

    If you're still having trouble after reviewing this, please click on the Get help button, our team would be delighted to assist!

     

    0
  • Frank Rivers

    Dr. J, 

    The issue is that no matter what URL I'm using, it redirects to the JWT login. For example subdomain.zendesk.com/agents is redirecting to the help center. It may be a configuration issue on our end where everything seems to redirect to the help center (which in turn goes to the JWT end user login). If so, I need to know where to go to fix this.

    I opened up a case (with the lowest priority) already and I've gotten no response.

    0
  • Dr. J

    Thanks Frank - the team will be in touch soon to help with this, thank you for your patience, and for opening a ticket, sir!

    0

Please sign in to leave a comment.

Powered by Zendesk